From http://tomcat.apache.org/security-5.html
Fixed in Apache Tomcat 5.5.23
Information disclosure CVE-2005-2090
Requests with multiple content-length headers should be rejected as invalid.
When multiple components (firewalls, caches, proxies and Tomcat) process a
sequence of requests where one or more requests contain multiple content-length
headers and several components do not reject the request and make different
decisions as to which content-length leader to use an attacker can poision a
web-cache, perform an XSS attack and obtain senstive information from requests
other then their own. Tomcat now returns 400 for requests with multiple
content-length headers.
Affects: 5.0.0-5.0.HEAD, 5.5.0-5.5.22